How can scammer actually reply from a spoofed email address?
I (mostly) understand how a scammer can send an email from a spoofed account, all you need is an unsecured SMTP server.
But how is it possible, for a scammer to RESPOND and maintain an email conversation with the victim from the spoofed address? In this case, there was no "reply-to" and the domain is completely legitimate.
The only clue was that the mail address of the responder (scammer) was in some (not all) cases suffixed with a "1", i.e. email@example.com and firstname.lastname@example.org.
My first thought was that the mail server at "legitdomain.com" was compromised, in which case pulling this off should be fairly simple since you can receive and respond to emails and create rules to redirect emails from target addresses so that the domain owner staff don't see them. You can also read incoming/outgoing emails to help with target selection, i.e. target a recently invoiced client that is about to make a payment and convince them that the banking details changed.
But is there a way to do this without having access to the mail server?
There are two ways that this might be "spoofed":
The first way is that the adversary actually has control of the mailserver or a compromised account. It's not uncommon for adversaries to try and hijack a legit email address as a means to send phishing attacks. During my time as a SOC analyst (I worked for a large medical university) we would often get phishing emails coming from real .edu addresses. The adversary would initally compromise some random account from another university, and then send phishing messages from those accounts as a means to add credibility to their asks. Part of my job was to call these other schools and tell them that they had a compromised account.
The second option could be that they registered a domain that looks just like the real one. A trivial example would be something like m1crosoft.com. Some of these are so close and well crafted that it takes a trained eye to catch them. It's even harder if it's not a well-known brand in which case you may not know what the actual URL is--so you wouldn't know that "mycompnay.com" is actually a 'spoofed' version of my-comapny.com